Skip to content

CookieCsrfTokenRepository should use the SameSite attribute #7990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ddevrien opened this issue Feb 17, 2020 · 6 comments
Closed

CookieCsrfTokenRepository should use the SameSite attribute #7990

ddevrien opened this issue Feb 17, 2020 · 6 comments
Assignees
@eleftherias
Labels
status: duplicate A duplicate of another issue

Comments

@ddevrien
Copy link
Contributor

Chrome 80 changed the way it handles cookies that do not set a SameSite attribute. More information: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html . While this change does not break anything, it does generate warnings in the developer console because the SameSite attribute is missing.

It is currently not possible to specify a SameSite value on the CookieCsrfTokenRepository . The underlying problem is that the Cookie class in the Java Servlets API does not support the SameSite attribute. Should we check for an alternative? Or wait until the Servlets API adds support for SameSite?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 17, 2020
@eleftherias eleftherias self-assigned this Feb 19, 2020
@eleftherias
Copy link
Contributor

At this time, you can use Spring Session to set the SameSite attribute on the session cookie.

More information on that can be found in the Spring Session documentation.

@ddevrien
Copy link
Contributor Author

hi @eleftherias , we are indeed using a custom cookieSerializer to set the SameSite attribute for session cookies, but that does not make it possible to set the attribute for the XSRF-TOKEN cookie.

@eleftherias
Copy link
Contributor

Thanks for the clarification @ddevrien.
Would gh-7537 cover your use case?

@ddevrien
Copy link
Contributor Author

Yes, that's exactly the feature we'd like to see added. Shall I close this issue then?

@eleftherias eleftherias added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 26, 2020
@eleftherias
Copy link
Contributor

@ddevrien Yes, please feel free to close this issue.

@BenICE BenICE mentioned this issue Aug 3, 2022
Closed
@svschouw-bb
Copy link
Contributor

svschouw-bb commented Oct 13, 2022
edited
Loading

Should this ticket be reopened? Since @rwinch closed #7537 because that was more about replacing CSRF with SameSite, which was a "Won't Do". But I think many people actually want (or need) this ticket. The only reason this ticket was closed was because it seemed to be a duplicate of #7537? Which it isn't.

Edit: #11913 is the more recent version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ddevrien @eleftherias @svschouw-bb @spring-projects-issues